ldap/ldap_login module reports incorrect IP addresses for sessions

[smcintyre-r7]

When running the ldap_login module and creating an interactive session, the address 127.0.0.1 is shown as both the local and remote address. In my case, I'd expect the remote address to be the RHOST value, 192.168.159.10 and the local address to be my interface that is directly attached, 192.168.159.128.

To reproduce the error, run the module with CreateSession set to True and the necessary credential information to start an interactive session. In the "LDAP session # opened" message, see that the IP addresses are nonsense.

metasploit-framework (S:0 J:0) auxiliary(scanner/ldap/ldap_login) > show options 

Module options (auxiliary/scanner/ldap/ldap_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   ANONYMOUS_LOGIN   false            yes       Attempt to login with a blank username a
                                                nd password
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   CreateSession     true             no        Create a new session for every successfu
                                                l login
   DB_ALL_CREDS      false            no        Try each user/password couple stored in
                                                the current database
   DB_ALL_PASS       false            no        Add all passwords in the current databas
                                                e to the list
   DB_ALL_USERS      false            no        Add all users in the current database to
                                                 the list
   DB_SKIP_EXISTING  none             no        Skip existing credentials stored in the
                                                current database (Accepted: none, user,
                                                user&realm)
   DOMAIN            msflab.local     no        The domain to authenticate to
   PASSWORD          foobar           no        The password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   RHOSTS            192.168.159.10   yes       The target host(s), see https://docs.met
                                                asploit.com/docs/using-metasploit/basics
                                                /using-metasploit.html
   RPORT             389              yes       The target port
   SSL               true             no        Enable SSL on the LDAP connection
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works fo
                                                r a host
   SessionKeepalive  600              yes       Time (in seconds) for sending protocol-l
                                                evel keepalive messages
   THREADS           32               yes       The number of concurrent threads (max on
                                                e per host)
   USERNAME          mhatter          no        The username to authenticate with
   USERPASS_FILE                      no        File containing users and passwords sepa
                                                rated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all
                                                 users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


   When LDAP::Auth is one of auto,plaintext:

   Name           Current Setting  Required  Description
   ----           ---------------  --------  -----------
   APPEND_DOMAIN  false            yes       Appends `@<DOMAIN> to the username for auth
                                             entication`


View the full module info with the info, or info -d command.

metasploit-framework (S:0 J:0) auxiliary(scanner/ldap/ldap_login) > run
[+] Success: 'Cert File /home/smcintyre/.msf4/loot/20241217162530_default_192.168.159.10_windows.ad.cs_098266.pfx'
[*] LDAP session 2 opened (127.0.0.1 -> 127.0.0.1) at 2024-12-17 16:31:20 -0500
[*] Scanned 1 of 1 hosts (100% complete)
[*] Bruteforce completed, 1 credential was successful.
[*] 1 LDAP session was opened successfully.
[*] Auxiliary module execution completed
metasploit-framework (S:1 J:0) auxiliary(scanner/ldap/ldap_login) >

[smcintyre-r7]

I looked into this some more and it seems to only occur when the SSL option is set to true.